Hi, Try    preview=true   It's must be like that  curl -k -u admin:pass https://localhost:8089/services/search/v2/jobs/mysearch_02151949/results preview=true ... View more

I couldn't exactly understand what you're not doing with the timestamp. There are many different ways to extract the timestamp from the log. If you want to capture this field additionally, you can use \S+\s\S+. There is example regex; ^\S+\s+\S+\s\w+\s(\S+(?:\S+\s+){1}\S+) ... View more

Yes, you can directly receive logs in Splunk by opening the TCP/UDP port, but this is not a recommended method by Splunk. In the correct scenario, it would be more appropriate to write logs to a file using software like rsyslog or syslog-ng and then monitor the file. ... View more

I think there is no need where filter. you can find external ips in search filter. Can you try this ?  source="udp:514" index="syslog" sourcetype="syslog" NOT src IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) ... View more

Hi, According to the documentation, you can do this, but it is strongly discouraged. In the correct scenario, it would be more sensible to use a signed certificate or perform SSL forwarding on a load balancer. I recommend against testing this in a production environment.   in $SPLUNK_HOME/etc/system/local/server.conf [sslConfig] enableSplunkdSSL = false   [sslConfig] * Set SSL for communications on Splunk back-end under this stanza name. * NOTE: To set SSL (for example HTTPS) for Splunk Web and the browser, use the web.conf file. * Follow this stanza name with any number of the following setting/value pairs. * If you do not specify an entry for each setting, the default value is used. enableSplunkdSSL = <boolean> * Enables/disables SSL on the splunkd management port (8089) and KV store port (8191). * NOTE: Running splunkd without SSL is not recommended. * Distributed search often performs better with SSL enabled. * Default: true ... View more

Okay Than, We can use regex. Can you try this ?  | makeresults | eval description = "somestring1 somestring2 somestring3 somestring4 somestring5" | rex field=description "(?<new_field>^\S+(?:\S+\s+){20}\S+)" | eval new_field_replaced = replace(description,new_field,"") | eval description = replace(description,new_field,"")     ... View more

Hello, You can try this. | makeresults | eval test = "somestring1somestring2somestring3" | eval new_field = if(len(test)>20,substr(test,20,len(test)),null()) ... View more

Thank you for answer. As you said, If I don't find any solution, I have to install another HF. ... View more

Hi, Create a Splunk account if you don't have one already. Login to Splunk and go to the "Add Data" page by clicking on the "Add Data" button in the main menu. Select "HTTP Event Collector" as the data source. Create a new HTTP Event Collector token by clicking on the "New Token" button. Give a name to the token and click on the "Create" button. Copy the token value and save it for later use. In your Heroku dashboard, go to the app you want to monitor. Add the Splunk Add-on to the app by running the following command in your terminal: $ heroku addons:create splunk $ heroku addons:open splunk   This will open the Splunk Add-on configuration page in your browser. Enter the token value in the "HEC Token" field and click on "Save". Once the Splunk Add-on is configured, you can start sending logs to Splunk by adding the following configuration to your app's log drain:   Splunk Cloud $ heroku drains:add https://input-output.cloud.splunk.com:443/inputs/http/<HEC Token> Splunk $ heroku drains:add https://splunk.yourdomain.com:443/inputs/http/<HEC Token>   Or you can send syslog. https://www.splunk.com/en_us/blog/tips-and-tricks/splunking-heroku.html?locale=en_us ... View more

I believe that the problem might be caused by internet access. Does your machine have internet access? Some JS and CSS files may be retrieved from the CDNs on the internet. ... View more

Also , you can try this.    LINE_BREAKER = ()[\[\w\.\]]+ ... View more

Can you try in props.conf this config: LINE_BREAKER = ([\r\n]+)[\[\w\.\]]+ ... View more

You can try this ;  | inputlookup append=true test1.csv | eval order = "test1.csv" | inputlookup append=true test2.csv | eval order = if(isnull(order),"test2.csv",order) | inputlookup append=true test3.csv | eval order = if(isnull(order),"test3.csv",order) ... View more

Also you can try this ;  | eval status = if(match(_raw,"Main function executed successfully. "),"Success","No Sucess Message") ... View more

hi, I think,That's reason zombie process. If that possible can you reboot your server ? , If is not can you kill splunkd process with kill -9 command. But these two option is dangerous for production environment. Please be careful. After the reboot, with ps command find which user manege your splunkd process. ps auxf|grep splunk ... View more

Hi, That is possible. for windows uf's  inputs.conf; [script://.\\bin\\script.bat] disabled = False interval = 43200   For linux uf's; inputs.conf [script://.\\bin\\script.sh] disabled = False interval = 43200   Finally ;  You must put script in bin folder same app. Example bin folder; custom_app/bin/script.bat custom_app/bin/script.sh Example local folder; custom_app/local/inputs.conf must be like above. ... View more

Hi, You thinking wrong because you calculate difference field.  Try This ;    | makeresults | eval tt0=relative_time(now(),"-10m@m"), tt1=now() | eval diff = tt1 - tt0 | eval diff = tostring(diff,"duration") ... View more

Everythings is correct. Also I get logs properly. I installed apps necessary. Which add-ons must for integrate apache and splunk itsi. ... View more

Some of pieces of data different but I'll try to change. The answer is correct. ... View more